[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Weird route issue with VMWare


  • Subject: Re: [Openvpn-users] Weird route issue with VMWare
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Sat, 12 Jan 2008 03:09:30 +0100

Hi Rida,

I am not surprised that that route statement did not work: it's a route 
to a subnet pointing to itself!
If the host running the openvpn software is 10.8.0.1 itself then no 
extra route statement should be required.
However, how vmware routes traffic between the different VMs is a 
different matter; is routing enabled on the server?

HTH,

JJK

Rida wrote:
> Hi,
>  
> Thanks for the quick answer. Actually, i tried to "fix" this (because 
> i've seen the tip in the openvpn faq), but impossible to add the route 
> on the virtual machines. ie "route add -net 10.1.0.0 <http://10.1.0.0> 
> netmask 255.255.255.0 <http://255.255.255.0> gw 10.1.0.1 
> <http://10.1.0.1>" tells me "Network unreachable" (but i can ping it 
> from there). And yes, there is a default gateway ( 10.8.0.1 
> <http://10.8.0.1>)
>
> Regards,
> Rida.
>  
> On Jan 11, 2008 2:30 AM, Jan Just Keijser <janjust@xxxxxxxxx 
> <mailto:janjust@xxxxxxxxx>> wrote:
>
>     Hi Rida,
>
>     this does not sound like an VMware issue but more like a routing
>     issue.
>     How would clients in the vmnet8 domain ( 10.8.0.128
>     <http://10.8.0.128/>) know where to send
>     stuff back to? Do they know that all packets intended for 10.1.0.6
>     <http://10.1.0.6/>
>     should be fed back to the openvpn server? In most cases the
>     clients on
>     your LAN (vmnet LAN in this case) will not know any route for the
>     10.1.0
>     net and will return packets thru the default gateway. Again, in most
>     cases that is not what you want ;-)
>
>     HTH,
>
>     JJK
>
>     PS I use a openvpn-on-vmware setup all the time without problems (tun
>     setup).
>
>
>     Rida wrote:
>     >
>     > Hello everybody,
>     >
>     > I want, first, to say thank you to all openvpn developers for this
>     > very useful
>     > piece of software! Happy new year too.
>     >
>     > So, i got a very strange problem that is getting on my nerve
>     because i
>     > can't
>     > resolve the issue. I got vmware server running on a basic server ;
>     > there is 1
>     > virtual network (in NAT mode). Here are the routes on the server
>     > (after vmware
>     > and openvpn are started):
>     >
>     > 10.1.0.2 <http://10.1.0.2/> <http://10.1.0.2 <http://10.1.0.2/>>
>     dev tun0  proto kernel  scope link  src
>     > 10.1.0.1 <http://10.1.0.1/> <http://10.1.0.1 <http://10.1.0.1/>>
>     > 10.8.0.0/24 <http://10.8.0.0/24> < http://10.8.0.0/24> dev
>     vmnet8  proto kernel  scope link
>     > src 10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1 <http://10.8.0.1/>>
>     > <public-ip> dev eth0  proto kernel  scope link  src <public-ip>
>     > 10.1.0.0/24 <http://10.1.0.0/24> < http://10.1.0.0/24> via
>     10.1.0.2 <http://10.1.0.2/> <http://10.1.0.2 <http://10.1.0.2/>>
>     dev tun0
>     > default via 91.121.95.254 <http://91.121.95.254/>
>     <http://91.121.95.254 <http://91.121.95.254/>> dev eth0
>     >
>     > Nothing special then (the only thing to keep in mind is that vmware
>     > uses source
>     > routing). I set up an openvpn server on the server (the one with the
>     > public IP),
>     > and it is working fine, because i can connect to it and i got an IP
>     > address on
>     > windows clients. Here's the server's configuration file:
>     >
>     > local <public-ip>
>     > port 1194
>     > proto tcp
>     > dev tun
>     > ca keys/ca.crt
>     > cert keys/server.crt
>     > key keys/server.key
>     > dh keys/dh1024.pem
>     > server 10.1.0.0 <http://10.1.0.0/> < http://10.1.0.0
>     <http://10.1.0.0/>> 255.255.255.0 <http://255.255.255.0/>
>     <http://255.255.255.0 <http://255.255.255.0/>>
>     > ifconfig-pool-persist ipp.txt
>     > push "route 10.2.0.0 <http://10.2.0.0/> <http://10.2.0.0
>     <http://10.2.0.0/>> 255.255.255.0 <http://255.255.255.0/>
>     > <http://255.255.255.0 <http://255.255.255.0/>>"
>     > push "route 10.8.0.0 <http://10.8.0.0/> < http://10.8.0.0
>     <http://10.8.0.0/>> 255.255.255.0 <http://255.255.255.0/>
>     > <http://255.255.255.0 <http://255.255.255.0/>>"
>     > push "route-delay 2 600"
>     > client-to-client
>     > keepalive 10 120
>     > tls-auth keys/ta.key 0
>     > cipher AES-128-CBC # AES
>     > comp-lzo
>     > max-clients 250
>     > user nobody
>     > group nobody
>     > persist-key
>     > persist-tun
>     > status /var/log/openvpn-status.log
>     > log-append /var/log/openvpn.log
>     > verb 6
>     > mute 20
>     >
>     > Now the clients one:
>     >
>     > client
>     > dev tun0
>     > proto tcp
>     > remote 91.121.95.16 <http://91.121.95.16/> <http://91.121.95.16
>     <http://91.121.95.16/>> 1194
>     > resolv-retry infinite
>     > nobind
>     > persist-key
>     > persist-tun
>     > ca ca.crt
>     > cert client.crt
>     > key client.key
>     > ns-cert-type server
>     > tls-auth ta.key 1
>     > cipher AES-128-CBC # AES
>     > comp-lzo
>     > verb 3
>     >
>     > Still nothing special, these are basic configuration files. Before
>     > i'll "draw" a
>     > network topology so you'll have a better idea of how vmware
>     implement
>     > their NAT
>     > (hope there is no error):
>     >
>     > [Windows client](10.1.0.6/30 <http://10.1.0.6/30>
>     <http://10.1.0.6/30 > tap) <->
>     > (10.1.0.5/30 <http://10.1.0.5/30> <http://10.1.0.5/30> tap gw)
>     <-> ( 10.1.0.2/24 <http://10.1.0.2/24>
>     > <http://10.1.0.2/24> vpn
>     > real gw) <-> (10.1.0.1/24 <http://10.1.0.1/24> <
>     http://10.1.0.1/24> tun) [server]
>     > (10.8.0.1/24 <http://10.8.0.1/24> <http://10.8.0.1/24> vmnet8)
>     <-> [virtual
>     > machine]( 10.8.0.128/24 <http://10.8.0.128/24>
>     <http://10.8.0.128/24> gw 10.8.0.1/24 <http://10.8.0.1/24>
>     > < http://10.8.0.1/24>)
>     >
>     > The virtual machine route is just a default gw to 10.8.0.1/24
>     <http://10.8.0.1/24>
>     > <http://10.8.0.1/24 <http://10.8.0.1/24>>. Routes on the
>     > client :
>     >
>     > Active Routes:
>     > Network Destination        Netmask          Gateway       Interface
>     > Metric
>     >           0.0.0.0 <http://0.0.0.0/> <http://0.0.0.0
>     <http://0.0.0.0/>>          0.0.0.0 <http://0.0.0.0/>
>     > <http://0.0.0.0 <http://0.0.0.0/>>       192.168.0.1
>     <http://192.168.0.1/> <http://192.168.0.1 <http://192.168.0.1/>>  
>     192.168.0.117 <http://192.168.0.117/>
>     > < http://192.168.0.117 <http://192.168.0.117/>>       25
>     >         10.1.0.0 <http://10.1.0.0/> <http://10.1.0.0
>     <http://10.1.0.0/>>     255.255.255.0 <http://255.255.255.0/>
>     > <http://255.255.255.0 <http://255.255.255.0/>>         10.1.0.5
>     <http://10.1.0.5/> <http://10.1.0.5 <http://10.1.0.5/>>
>     > 10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6 <http://10.1.0.6/>>
>           1
>     >         10.1.0.4 <http://10.1.0.4/> <http://10.1.0.4
>     <http://10.1.0.4/>>  255.255.255.252 <http://255.255.255.252/>
>     > <http://255.255.255.252 <http://255.255.255.252/>>        
>     10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6 <http://10.1.0.6/>>
>     > 10.1.0.6 <http://10.1.0.6/> < http://10.1.0.6
>     <http://10.1.0.6/>>       30
>     >         10.1.0.6 <http://10.1.0.6/> <http://10.1.0.6
>     <http://10.1.0.6/>>   255.255.255.255 <http://255.255.255.255/>
>     > <http://255.255.255.255 <http://255.255.255.255/>>      
>      127.0.0.1 <http://127.0.0.1/> < http://127.0.0.1 <http://127.0.0.1/>>
>     > 127.0.0.1 <http://127.0.0.1/> <http://127.0.0.1
>     <http://127.0.0.1/>>       30
>     >         10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0
>     <http://10.8.0.0/>>    255.255.255.0 <http://255.255.255.0/>
>     > <http://255.255.255.0 <http://255.255.255.0/>>         10.1.0.5
>     <http://10.1.0.5/> <http://10.1.0.5 <http://10.1.0.5/>>
>     > 10.1.0.6 <http://10.1.0.6/> < http://10.1.0.6
>     <http://10.1.0.6/>>       1
>     > ...
>     >
>     > Client's output:
>     >
>     > Thu Jan 10 00:25:21 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built
>     > on Oct  1
>     > 2006
>     > Thu Jan 10 00:25:21 2008 IMPORTANT: OpenVPN's default port
>     number is
>     > now 1194,
>     > based on an official port number assignment by IANA.  OpenVPN
>     > 2.0-beta16 and
>     > earlier used 5000 as the default port.
>     > Thu Jan 10 00:25:21 2008 Control Channel Authentication: using
>     > 'ta.key' as a
>     > OpenVPN static key file
>     > Thu Jan 10 00:25:21 2008 Outgoing Control Channel Authentication:
>     > Using 160 bit
>     > message hash 'SHA1' for HMAC authentication
>     > Thu Jan 10 00:25:21 2008 Incoming Control Channel Authentication:
>     > Using 160 bit
>     > message hash 'SHA1' for HMAC authentication
>     > Thu Jan 10 00:25:21 2008 LZO compression initialized
>     > Thu Jan 10 00:25:21 2008 Control Channel MTU parms [ L:1560 D:168
>     > EF:68 EB:0
>     > ET:0 EL:0 ]
>     > Thu Jan 10 00:25:21 2008 Data Channel MTU parms [ L:1560 D:1450
>     EF:60
>     > EB:135
>     > ET:0 EL:0 AF:3/1 ]
>     > Thu Jan 10 00:25:21 2008 Local Options hash (VER=V4): '<hash>'
>     > Thu Jan 10 00:25:21 2008 Expected Remote Options hash (VER=V4):
>     '<hash>'
>     > Thu Jan 10 00:25:21 2008 Attempting to establish TCP connection with
>     > 91.121.95.16:1194 <http://91.121.95.16:1194/>
>     <http://91.121.95.16:1194 <http://91.121.95.16:1194/>>
>     > Thu Jan 10 00:25:21 2008 TCP connection established with
>     <public-ip>:1194
>     > Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link local: [undef]
>     > Thu Jan 10 00:25:21 2008 TCPv4_CLIENT link remote: <public-ip>:1194
>     > Thu Jan 10 00:25:21 2008 TLS: Initial packet from <public-ip>:1194,
>     > sid=<hash>
>     > Thu Jan 10 00:25:22 2008 VERIFY OK: depth=1, <certificate fqn>
>     > Thu Jan 10 00:25:22 2008 VERIFY OK: nsCertType=SERVER
>     > Thu Jan 10 00:25:22 2008 VERIFY OK: depth=0, <certificate fqn>
>     > Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Cipher 'AES-128-CBC'
>     > initialized
>     > with 128 bit key
>     > Thu Jan 10 00:25:25 2008 Data Channel Encrypt: Using 160 bit
>     message
>     > hash 'SHA1'
>     > for HMAC authentication
>     > Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Cipher 'AES-128-CBC'
>     > initialized
>     > with 128 bit key
>     > Thu Jan 10 00:25:25 2008 Data Channel Decrypt: Using 160 bit
>     message
>     > hash 'SHA1'
>     > for HMAC authentication
>     > Thu Jan 10 00:25:25 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3
>     > DHE-RSA-AES256-SHA, 1024 bit RSA
>     > Thu Jan 10 00:25:25 2008 [client] Peer Connection Initiated with
>     > <public-ip>:1194
>     > Thu Jan 10 00:25:27 2008 SENT CONTROL [client]: 'PUSH_REQUEST'
>     (status=1)
>     > Thu Jan 10 00:25:27 2008 PUSH: Received control message:
>     'PUSH_REPLY,route
>     > 10.8.0.0 <http://10.8.0.0/> <http://10.8.0.0 <http://10.8.0.0/>>
>     255.255.255.0 <http://255.255.255.0/>
>     > < http://255.255.255.0 <http://255.255.255.0/>>,route-delay 2
>     600,route 10.1.0.0 <http://10.1.0.0/>
>     > <http://10.1.0.0 <http://10.1.0.0/>> 255.255.255.0
>     <http://255.255.255.0/> <http://255.255.255.0
>     <http://255.255.255.0/>>,ping
>     > 10,ping-restart 120,ifconfig 10.1.0.6 <http://10.1.0.6/> <
>     http://10.1.0.6 <http://10.1.0.6/>> 10.1.0.5 <http://10.1.0.5/>
>     > <http://10.1.0.5 <http://10.1.0.5/>>'
>     > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: timers and/or timeouts
>     modified
>     > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: --ifconfig/up options
>     modified
>     > Thu Jan 10 00:25:27 2008 OPTIONS IMPORT: route options modified
>     > Thu Jan 10 00:25:27 2008 TAP-WIN32 device [Local Area Connection 5]
>     > opened:
>     > \\.\Global\{F71B3A07-5805-4B69-97C9-73926191180F}.tap
>     > <file:////Global/%7BF71B3A07-5805-4B69-97C9-73926191180F%7D.tap>
>     > Thu Jan 10 00:25:27 2008 TAP-Win32 Driver Version 8.4
>     > Thu Jan 10 00:25:27 2008 TAP-Win32 MTU=1500
>     > Thu Jan 10 00:25:27 2008 Notified TAP-Win32 driver to set a DHCP
>     > IP/netmask of
>     > 10.1.0.6/255.255.255.252 <http://10.1.0.6/255.255.255.252>
>     <http://10.1.0.6/255.255.255.252> on
>     > interface {F71B3A07-5805-4B69-97C9-73926191180F}
>     > [DHCP-serv: 10.1.0.5 <http://10.1.0.5/> <http://10.1.0.5
>     <http://10.1.0.5/> >, lease-time: 31536000]
>     > Thu Jan 10 00:25:27 2008 Successful ARP Flush on interface [7]
>     > {F71B3A07-5805-4B69-97C9-73926191180F}
>     > Thu Jan 10 00:25:29 2008 TEST ROUTES: 0/0 succeeded len=3 ret=0 a=0
>     > u/d=down
>     > Thu Jan 10 00:25:29 2008 Route: Waiting for TUN/TAP interface to
>     come
>     > up...
>     > Thu Jan 10 00:25:31 2008 TEST ROUTES: 3/3 succeeded len=3 ret=1
>     a=0 u/d=up
>     > Thu Jan 10 00:25:31 2008 route ADD 10.8.0.0 <http://10.8.0.0/>
>     <http://10.8.0.0 <http://10.8.0.0/>> MASK
>     > 255.255.255.0 <http://255.255.255.0/> < http://255.255.255.0
>     <http://255.255.255.0/>> 10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5 <http://10.1.0.5/>>
>     > Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded
>     > Thu Jan 10 00:25:31 2008 route ADD 10.1.0.0 <http://10.1.0.0/> <
>     http://10.1.0.0 <http://10.1.0.0/>> MASK
>     > 255.255.255.0 <http://255.255.255.0/> <http://255.255.255.0
>     <http://255.255.255.0/>> 10.1.0.5 <http://10.1.0.5/>
>     <http://10.1.0.5 <http://10.1.0.5/>>
>     > Thu Jan 10 00:25:31 2008 Route addition via IPAPI succeeded
>     > Thu Jan 10 00:25:31 2008 Initialization Sequence Completed
>     >
>     > Now the issue... From the client, i can ping 10.1.0.5
>     <http://10.1.0.5/>
>     > <http://10.1.0.5 <http://10.1.0.5/>> (tap gw), 10.1.0.1
>     <http://10.1.0.1/> <http://10.1.0.1 <http://10.1.0.1/>> (vpn
>     > gw), 10.8.0.1 <http://10.8.0.1/> <http://10.8.0.1
>     <http://10.8.0.1/>> (vmnet8, but on server's side) but not
>     > in vmnet8's network
>     > (10.8.0.128 <http://10.8.0.128/> <http://10.8.0.128
>     <http://10.8.0.128/>> for example).
>     >
>     > I've tried everything.... Here are some:
>     > * Set up a virtual interface (on eth0:0) with IP 10.1.0.1
>     <http://10.1.0.1/>
>     > < http://10.1.0.1 <http://10.1.0.1/>>,
>     > * Put the openvpn network in vmware's network subnet (i think
>     openvpn
>     > won't
>     > understand, well it didn't work anyway),
>     > * pushed gw for routes to the client (the client is slow to connect
>     > and tells me
>     > that the gw doesn't exists)
>     >
>     > I'm lost. Please help.
>     >
>

______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users